https://community.splunk.com/t5/Getting-Data-In/Help-with-props-conf-LINE-BREAKER/m-p/94534#M19669 <P>I have tried the following settings without success:</P> <PRE><CODE>LINE_BREAKER = ~\\ LINE_BREAKER = ~\\^ LINE_BREAKER = ([~\\]+) LINE_BREAKER = (.*)[~\\](.*) LINE_BREAKER = .*~\\.* </CODE></PRE> <P>An example string would be:</P> <PRE><CODE>SMSEUCP_7110:STATUS:1049110|7116|7110|192.168.0.5 1180178|7112|7110|192.168.0.5 14156304|7111|7110|192.168.0.5 1180174|7117|7110|192.168.0.5 1180170|7119|7110|192.168.0.5 5767676|7113|7110|192.168.0.5 5308816|7114|7110|192.168.0.5 1573452|7115|7110|192.168.0.5 2426006|7118|7110|192.168.0.5 11141326|7110|7110|192.168.0.5~\SMSEMO_0000:S:(0000) Incoming : 3161234567 oh really? let do that then, ok?~\SMSEMO_0000:P:Posting : <A href="http://someurlwithparameters~\" target="test_blank">http://someurlwithparameters~\</A> </CODE></PRE> <P>The end result should be multiline events split by ~\ like so:</P> <P>Event 1:</P> <PRE><CODE>SMSEUCP_7110:STATUS:1049110|7116|7110|192.168.0.5 1180178|7112|7110|192.168.0.5 14156304|7111|7110|192.168.0.5 1180174|7117|7110|192.168.0.5 1180170|7119|7110|192.168.0.5 5767676|7113|7110|192.168.0.5 5308816|7114|7110|192.168.0.5 1573452|7115|7110|192.168.0.5 2426006|7118|7110|192.168.0.5 11141326|7110|7110|192.168.0.5 </CODE></PRE> <P>Event 2:</P> <PRE><CODE>SMSEMO_0000:S:(0000) Incoming : 3161234567 oh really? let do that then, ok? </CODE></PRE> <P>Event 3:</P> <PRE><CODE>SMSEMO_0000:P:Posting : <A href="http://someurlwithparameters" target="test_blank">http://someurlwithparameters</A> </CODE></PRE> <P>I'm no regexp guru, but I thought this would be easier <span class="lia-unicode-emoji" title=":winking_face:">😉</span> </P> Wed, 04 May 2011 14:11:25 GMT Megamuch 2011-05-04T14:11:25Z https://community.splunk.com/t5/Getting-Data-In/Help-with-props-conf-LINE-BREAKER/m-p/94532#M19667 <P>While testing out Splunk I wanted to see if I could easily create a custom input into splunk using ncat and the UDP splunk input.</P> <P>The input works, now I have to tell splunk how to split the input stream. </P> <P>The input is a multiline string which contains either XML or pipe (|) delimited data but is always terminated by ~\</P> <P>So I created a new props.conf in %$SPLUNK_HOME%/etc/system/local/ and added the following:</P> <PRE><CODE>[source::c:\\splunkinput\\my.log] LINE_BREAKER = ^~\$ </CODE></PRE> <P>Unfortunately nothing happens and I have not yet figured out how to check what exactly is going when importing a new file into splunk.</P> <P>The end result should be for every sequence (with carriage returns etc) between ~\ should be considered a new event. </P> <P>Any tips?</P> <P>P.s. is there a way to activate the props.conf changes without restarting splunkd?</P> Wed, 04 May 2011 09:49:48 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-props-conf-LINE-BREAKER/m-p/94532#M19667 Megamuch 2011-05-04T09:49:48Z https://community.splunk.com/t5/Getting-Data-In/Help-with-props-conf-LINE-BREAKER/m-p/94533#M19668 <P>In your regex you need to escape the backslash as such:</P> <PRE><CODE>LINE_BREAKER = ^~\\$ </CODE></PRE> <P>If <CODE>~\</CODE> is not on a line by itself, drop the leading caret from your LINE_BREAKER definition:</P> <PRE><CODE>LINE_BREAKER = ~\\$ </CODE></PRE> <P>I believe for event parsing configurations (such as LINE_BREAKER) you need to restart splunkd, however search time configurations (field extractions for example) in props.conf are applied automatically without having to restart Splunkd.</P> <P>[EDIT Based on more info provided]</P> <P>Based on the sample data, give the following a try in your props.conf:</P> <PRE><CODE>[source::c:\\splunkinput\\my.log] SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE_DATE = false MUST_BREAK_AFTER = ~\\ </CODE></PRE> Wed, 04 May 2011 13:10:41 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-props-conf-LINE-BREAKER/m-p/94533#M19668 ftk 2011-05-04T13:10:41Z https://community.splunk.com/t5/Getting-Data-In/Help-with-props-conf-LINE-BREAKER/m-p/94534#M19669 <P>I have tried the following settings without success:</P> <PRE><CODE>LINE_BREAKER = ~\\ LINE_BREAKER = ~\\^ LINE_BREAKER = ([~\\]+) LINE_BREAKER = (.*)[~\\](.*) LINE_BREAKER = .*~\\.* </CODE></PRE> <P>An example string would be:</P> <PRE><CODE>SMSEUCP_7110:STATUS:1049110|7116|7110|192.168.0.5 1180178|7112|7110|192.168.0.5 14156304|7111|7110|192.168.0.5 1180174|7117|7110|192.168.0.5 1180170|7119|7110|192.168.0.5 5767676|7113|7110|192.168.0.5 5308816|7114|7110|192.168.0.5 1573452|7115|7110|192.168.0.5 2426006|7118|7110|192.168.0.5 11141326|7110|7110|192.168.0.5~\SMSEMO_0000:S:(0000) Incoming : 3161234567 oh really? let do that then, ok?~\SMSEMO_0000:P:Posting : <A href="http://someurlwithparameters~\" target="test_blank">http://someurlwithparameters~\</A> </CODE></PRE> <P>The end result should be multiline events split by ~\ like so:</P> <P>Event 1:</P> <PRE><CODE>SMSEUCP_7110:STATUS:1049110|7116|7110|192.168.0.5 1180178|7112|7110|192.168.0.5 14156304|7111|7110|192.168.0.5 1180174|7117|7110|192.168.0.5 1180170|7119|7110|192.168.0.5 5767676|7113|7110|192.168.0.5 5308816|7114|7110|192.168.0.5 1573452|7115|7110|192.168.0.5 2426006|7118|7110|192.168.0.5 11141326|7110|7110|192.168.0.5 </CODE></PRE> <P>Event 2:</P> <PRE><CODE>SMSEMO_0000:S:(0000) Incoming : 3161234567 oh really? let do that then, ok? </CODE></PRE> <P>Event 3:</P> <PRE><CODE>SMSEMO_0000:P:Posting : <A href="http://someurlwithparameters" target="test_blank">http://someurlwithparameters</A> </CODE></PRE> <P>I'm no regexp guru, but I thought this would be easier <span class="lia-unicode-emoji" title=":winking_face:">😉</span> </P> Wed, 04 May 2011 14:11:25 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-props-conf-LINE-BREAKER/m-p/94534#M19669 Megamuch 2011-05-04T14:11:25Z https://community.splunk.com/t5/Getting-Data-In/Help-with-props-conf-LINE-BREAKER/m-p/94535#M19670 <P>I've updated my answer based on the sample data. If that doesnt work, try playing around with some other line breaking settings in props.conf: <A href="http://www.splunk.com/base/Documentation/latest/Admin/Propsconf">http://www.splunk.com/base/Documentation/latest/Admin/Propsconf</A></P> Wed, 04 May 2011 15:46:25 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-props-conf-LINE-BREAKER/m-p/94535#M19670 ftk 2011-05-04T15:46:25Z https://community.splunk.com/t5/Getting-Data-In/Help-with-props-conf-LINE-BREAKER/m-p/94536#M19671 <P>Hmm, can you use <CODE>^</CODE> in <CODE>LINE_BREAKER</CODE>? I would think that you'd always need to use something like <CODE>[\r\n]+</CODE> instead of <CODE>^</CODE> or <CODE>$</CODE>... Just my 2 cents.. And after re-reading all this info, I don't think you want to use end-of-string (<CODE>$</CODE>), start-of-string (<CODE>^</CODE>), or traditional-end-of-line (<CODE>[\r\n]</CODE>) stuff at all...</P> Tue, 11 Oct 2011 15:36:16 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-props-conf-LINE-BREAKER/m-p/94536#M19671 Lowell 2011-10-11T15:36:16Z https://community.splunk.com/t5/Getting-Data-In/Help-with-props-conf-LINE-BREAKER/m-p/94537#M19672 <P>I think you simply want</P> <PRE><CODE>[mysourcetype] LINE_BREAKER = (~\\) # You may need to increase this (default 100) LINE_BREAKER_LOOKBEHIND = 1000 SHOULD_LINEMERGE = false </CODE></PRE> <P>There are two things to consider here: 1.) Splunk wants a matching group in the LINE_BREAKER, and 2.) I'm not sure it's valid to end a regex with the backslash (<CODE>\</CODE>) character. But I could be wrong.</P> <P>I just re-read the question, and it sounds like you also want newlines to be split events. If that's correct, then try the following:</P> <PRE><CODE>LINE_BREAKER = (~\\|[\r\n]+) </CODE></PRE> Tue, 11 Oct 2011 15:42:02 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-props-conf-LINE-BREAKER/m-p/94537#M19672 Lowell 2011-10-11T15:42:02Z